{"id":833,"date":"2012-07-31T08:44:57","date_gmt":"2012-07-31T00:44:57","guid":{"rendered":"http:\/\/rmohan.com\/?p=833"},"modified":"2012-07-31T08:46:30","modified_gmt":"2012-07-31T00:46:30","slug":"vpn-server-with-openvpn","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=833","title":{"rendered":"VPN Server With OpenVPN"},"content":{"rendered":"<p>Depending on your circumstances you may want to run the VPN from your home, or you may want to rent a VPS to run it from. If you\u2019re just trying to get into your home network, an SSH tunnel might be easier; I will write something about SSH tunneling later. For the purposes of this guide, there\u2019s no difference between using a spare machine at your house or a VPS\/Dedi other than port forwarding on the router. The configuration will be based on a machine running CentOS 5, with nano as the editor. It really doesn\u2019t matter what Linux distribution you use, or what editor. I also use wget for downloading. You can use Links, lynx, or any method you want to get the files.<\/p>\n<p>OpenVPN is being used for a number of reasons:<\/p>\n<ol>\n<li>It\u2019s extensively used privately and publicly.<\/li>\n<li>It\u2019s well supported<\/li>\n<li>It uses OpenSSL instead of more complicated PKI certificate systems. (Don\u2019t confuse this with a Microsoft SSTP VPN, they aren\u2019t the same thing)<\/li>\n<li>This type of VPN can be tunneled through a proxy or NAT device easily.<\/li>\n<li>It is a very capable VPN application, allowing for a large number of configuration scenarios including site to site, client to server, client to site, and reverse connections.<\/li>\n<\/ol>\n<div>Now, there is one huge drawback\u2026 It uses its own special set of protocols, and cannot be intermixed with other VPN clients or servers. An OpenVPN client cannot connect to an IPSec, PPTP, or SSTP VPN, and only OpenVPN clients can connect to OpenVPN servers. That being said, there are several third party clients available for OpenVPN, for all platforms. I will list the various options at the end of the article.<\/div>\n<p>Please read the entire guide before beginning the installation.<\/p>\n<div><strong>1. Downloading and installing OpenVPN<\/strong><\/div>\n<div>\n<blockquote><p>#wget\u00a0<a href=\"http:\/\/swupdate.openvpn.org\/as\/openvpn-as-1.8.3-CentOS5.i386.rpm\">openvpn-as-1.8.3-CentOS5.i386.rpm<\/a><\/p><\/blockquote>\n<\/div>\n<blockquote>\n<div>\n<p>#rpm -i openvpn-as-1.8.3-CentOS5.i386.rpm<\/p>\n<\/div>\n<\/blockquote>\n<p>I\u2019m just downloading and installing one of the RPMs, but you can easily build from source if that\u2019s your style. The package should also be in most distro software repositories as well. The basic installation is insanely simple, just download and install the package. The installation will let you know that you need to change the password using \u201cpasswd openvpn\u201d, and that web UIs are available at https:\/\/serveraddress:943\/ and\u00a0https:\/\/serveraddress:943\/admin for the user and admin logins respectively.<\/p>\n<p><strong>2. Configuration of the VPN Server.<\/strong><\/p>\n<blockquote><p>If you haven\u2019t already set the password, please do so now.<\/p>\n<p>#passwd openvpn<\/p>\n<p>Changing password for user openvpn<\/p>\n<p>New UNIX password:<\/p>\n<p>BAD PASSWORD: it is based on a dictionary word<\/p>\n<p>Retype UNIX password:<\/p>\n<p>passwd: all authentication tokens updated successfully<\/p><\/blockquote>\n<p>I used \u201cpassword\u201d for my password, I\u2019d advise that you actually use a strong password.<\/p>\n<p>OpenVPN is now running on your server. Everything can be configured via the web interface available at https:\/\/server:943\/admin. The user name is openvpn, and the password is whatever you have set. A basic VPN is already in place using default certificates, PAM authentication, and a relatively secure client configuration. \u00a0I\u2019m not going to cover some of the more advanced configurations here, such as site to site via an intermediary server, LDAP interoperability, or layer 2 tunneling.<\/p>\n<p>If you\u2019re having trouble reaching the VPN administration page, you\u2019ll need to check your firewall settings. I\u2019m not going to go through iptables commands, but you need to make sure that the bare minimum is present. The administration page provides a simple means to configure everything from client IP ranges to ciphers and authentication. The only thing you might *need* to change is the IP range.<\/p>\n<p>#!\/bin\/bash<\/p>\n<p>###### TURN ON PORT FORWARDING ########<br \/>\necho 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n<p>iptables -v -F;<br \/>\niptables -F -t mangle<br \/>\niptables -F -t nat;<br \/>\niptables -v -A INPUT -i lo -j ACCEPT;<\/p>\n<p># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br \/>\n# iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -j MASQUERADE<br \/>\n# iptables -t nat -A POSTROUTING -s 192.168.25.0\/24 -o tun0 -j MASQUERADE<\/p>\n<p># iptables -A INPUT -i tun0 -j ACCEPT<br \/>\n# iptables -A OUTPUT -o tun0 -j ACCEPT<br \/>\n# iptables -A FORWARD -i tun0 -j ACCEPT<br \/>\n# iptables -I FORWARD -i em1 -o tun0 -j ACCEPT<br \/>\n# iptables -I FORWARD -i tun0 -o em1 -j ACCEPT<\/p>\n<p>########### BASIC RULE SET #############<br \/>\niptables -v -P INPUT DROP # Default Policy DROP<br \/>\n# iptables -v -A INPUT -m state \u2013state RELATED,ESTABLISHED -j LOG \u2013log-prefix \u201cACCEPT\u201d<br \/>\niptables -v -A INPUT -m state \u2013state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED<br \/>\niptables -A INPUT -p tcp -m state \u2013state NEW \u2013dport 80 -i em1 -j ACCEPT<br \/>\niptables -A INPUT -i em1 -p tcp \u2013dport 993 -m state \u2013state NEW,ESTABLISHED -j ACCEPT #ALLOW SSL<br \/>\niptables -A INPUT -i em1 -p tcp \u2013dport 1194 -m state \u2013state NEW,ESTABLISHED -j ACCEPT #ALLOW OPENVPN<\/p>\n<p>########## CONNECTION LIMIT LOG\/DROP ############<br \/>\niptables -A INPUT -p tcp -i em1 -m state \u2013state NEW -m recent \u2013set<br \/>\niptables -A INPUT -p tcp -i em1 -m state \u2013state NEW -m recent \u2013update \u2013seconds 30 \u2013hitcount 10 -j LOG \u2013log-level 4 \u2013log-prefix \u201cLIMIT:\u201d<br \/>\niptables -A INPUT -p tcp -i em1 -m state \u2013state NEW -m recent \u2013update \u2013seconds 30 \u2013hitcount 10 -j DROP<\/p>\n<p>########### DROP SPOOFED PACKETS ###############<br \/>\niptables -A INPUT -s 127.0.0.0\/8 ! -i lo -j LOG \u2013log-level 4 \u2013log-prefix \u201cSPOOF PACKETS:\u201d<br \/>\niptables -A INPUT -s 127.0.0.0\/8 ! -i lo -j DROP<\/p>\n<p>########### LOG\/DROP NEW CONNECTIONS ##############<br \/>\n# iptables -A INPUT -p tcp -m state \u2013state NEW -j LOG # LOG NEW TCP CONNECTIONS<br \/>\n# iptables -A INPUT -p tcp -m state \u2013state NEW -j DROP # BLOCK NEW TCP CONNECTIONS<\/p>\n<p>######### LOG\/DROP FTP SSH AND SEDMAIL ############<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 21 -j LOG # LOG FTP ATTEMPTS<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 21 -j REJECT \u2013reject-with tcp-reset # RESET FTP<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 22 -j LOG # LOG SSH ATTEMPTS<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 22 -j DROP # BLOCK SSH<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 25 -j LOG # LOG SENDMAIL<br \/>\niptables -v -A INPUT -p tcp -s 0\/0 \u2013dport 25 -j DROP # BLOCK SENDMAIL<\/p>\n<p>########### INPUT THAT IS NEEDED #################<br \/>\niptables -v -A INPUT -m state -m tcp \u2013proto tcp \u2013dport 80 \u2013state NEW -j ACCEPT; # HTTP<br \/>\niptables -v -A INPUT -m state -m udp \u2013proto udp \u2013dport 53 \u2013state NEW -j ACCEPT; # DNS<br \/>\niptables -v -A INPUT -m state -m tcp \u2013proto tcp \u2013dport 53 \u2013state NEW -j ACCEPT; # DNS<\/p>\n<p>iptables -v -A INPUT -m state -m tcp \u2013proto tcp \u2013dport 22 \u2013state NEW -j ACCEPT; # SSH<\/p>\n<p>iptables -v -A INPUT -m state -m tcp \u2013proto tcp \u2013dport 443 \u2013state NEW -j ACCEPT; # HTTPS<\/p>\n<p>########### DENY FRAGMENT PACKETS ###############<br \/>\niptables -A INPUT -i em1 -f -m limit \u2013limit 5\/m \u2013limit-burst 7 -j LOG \u2013log-level 4 \u2013log-prefix \u201cFRAG DROP:\u201d<br \/>\niptables -A INPUT -i em1 -f -j DROP<\/p>\n<p>########### DROPS BAD PACKETS ###############<br \/>\niptables -A INPUT -p tcp \u2013tcp-flags ALL ALL -j DROP<br \/>\niptables -A INPUT -p tcp \u2013tcp-flags ALL NONE -j DROP<br \/>\niptables -A INPUT -i em1 -p tcp \u2013tcp-flags ALL FIN,URG,PSH -j DROP<br \/>\niptables -A INPUT -i em1 -p tcp \u2013tcp-flags ALL ALL -j DROP<\/p>\n<p>iptables -A INPUT -i em1 -p tcp \u2013tcp-flags ALL NONE -m limit \u2013limit 5\/m \u2013limit-burst 7 -j LOG \u2013log-level 4 \u2013log-prefix \u201cNULL DROP:\u201d<br \/>\niptables -A INPUT -i em1 -p tcp \u2013tcp-flags ALL NONE -j DROP # NULL packets<\/p>\n<p>iptables -A INPUT -i em1 -p tcp \u2013tcp-flags SYN,RST SYN,RST -j DROP<\/p>\n<p>iptables -A INPUT -i em1 -p tcp \u2013tcp-flags SYN,FIN SYN,FIN -m limit \u2013limit 5\/m \u2013limit-burst 7 -j LOG \u2013log-level 4 \u2013log-prefix \u201cXMAS DROP:\u201d<br \/>\niptables -A INPUT -i em1 -p tcp \u2013tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS<\/p>\n<p>iptables -A INPUT -i em1 -p tcp \u2013tcp-flags FIN,ACK FIN -m limit \u2013limit 5\/m \u2013limit-burst 7 -j LOG \u2013log-level 4 \u2013log-prefix \u201cFIN DROP:\u201d<br \/>\niptables -A INPUT -i em1 -p tcp \u2013tcp-flags FIN,ACK FIN -j DROP # FIN packet scans<\/p>\n<p>iptables -A INPUT -i em1 -p tcp \u2013tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP<\/p>\n<p>########### LIMIT PING ATTEMPTS ###################<br \/>\niptables -A INPUT -p icmp -m icmp -m limit \u2013limit 1\/second -j ACCEPT<\/p>\n<p>########### BLOCK CERTAIN ICMP ###################<br \/>\niptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS<br \/>\niptables -v -A INPUT -p icmp \u2013icmp-type echo-request -j DROP # BLOCK ICMP ECHO<\/p>\n<p>########## BLOCK INVALID ICMP #####################<br \/>\niptables -v -A INPUT -i em1 -m state -p icmp \u2013state INVALID -j DROP # BLOCK INVALID ICMP<br \/>\niptables -v -A FORWARD -i em1 -m state -p icmp \u2013state INVALID -j DROP # BLOCK INVALID ICMP<br \/>\niptables -A OUTPUT -o em1 -m state -p icmp \u2013state INVALID -j DROP # BLOCK INVALID ICMP<br \/>\niptables -A FORWARD -o em1 -m state -p icmp \u2013state INVALID -j DROP # BLOCK INVALID ICMP<\/p>\n<p>############ BLOCK STEALTH SCAN ###################<br \/>\niptables -N st_scan # STEALTH SCAN CHAIN<br \/>\niptables -A st_scan -p tcp \u2013tcp-flags SYN,FIN,RST,ACK RST,ACK -j RETURN # BLOCK STEALTH SCAN<br \/>\niptables -A st_scan -j LOG \u2013log-level 4 \u2013log-prefix \u201cSTEALTH SCAN:\u201d # LOG STEALTH SCAN<br \/>\niptables -A st_scan -j DROP # DROP STEALTH SCAN<\/p>\n<p>########## PORTSCAN RULE SETUP ###################<br \/>\niptables -N port-scan # BEGIN PORTSCAN RULES<br \/>\niptables -A port-scan -p tcp \u2013tcp-flags SYN,ACK,FIN,RST RST -m limit \u2013limit 1\/s -j RETURN #BLOCK PSCAN<br \/>\niptables -A port-scan -j LOG \u2013log-level 4 \u2013log-prefix \u201cPORT SCAN:\u201d # LOG PORT SCAN<br \/>\niptables -A port-scan -j DROP # DROP PORT SCAN<\/p>\n<p>########## LOG ALL DROPPED PACKETS #################<br \/>\niptables -N logdrop<br \/>\niptables -A logdrop -j LOG \u2013log-level 4 \u2013log-prefix \u201cDROPPED:\u201d # LOG DROPPED PACKETS<br \/>\niptables -A logdrop -j DROP<\/p>\n<p>iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE<\/p>\n<p>######## OUTPUT FOR SERVICES NEEDED ########<\/p>\n<p>iptables -v -P OUTPUT ACCEPT # Default Policy Accept<br \/>\niptables -v -A OUTPUT -o lo -j ACCEPT;<br \/>\niptables -v -A OUTPUT -o em1 -j ACCEPT;<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 80 -j ACCEPT; # HTTP<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 443 -j ACCEPT; # HTTPS<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 445 -j ACCEPT; # SMB<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 53 -j ACCEPT; # DNS<br \/>\niptables -v -A OUTPUT -m udp \u2013proto udp \u2013dport 53 -j ACCEPT; # DNS<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 5222 -j ACCEPT; #Google Talk or Jabber<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 5050 -j ACCEPT; #Yahoo<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 6667 -j ACCEPT; #IRC<br \/>\niptables -v -A OUTPUT -m tcp \u2013proto tcp \u2013dport 7777 -j ACCEPT; #Jabber file Transfers<br \/>\niptables -A OUTPUT -o em1 -p tcp \u2013dport 31337 \u2013sport 31337 -j DROP # BLOCK BACKDOOR<br \/>\niptables -v -A OUTPUT -j REJECT;<\/p>\n<p>######### DEFAULT DROPS #######<\/p>\n<p>iptables -v -P FORWARD DROP # Default Policy DROP<br \/>\niptables -A FORWARD -p tcp -i em1 -m state \u2013state NEW -m recent \u2013set<br \/>\niptables -A FORWARD -p tcp -i em1 -m state \u2013state NEW -m recent \u2013update \u2013seconds 30 \u2013hitcount 10 -j DROP<br \/>\niptables -A FORWARD -p tcp \u2013syn -m limit \u2013limit 1\/s -j ACCEPT # SYN FLOOD PROTECT<br \/>\niptables -A FORWARD -p icmp \u2013icmp-type echo-request -m limit \u2013limit 1\/s -j ACCEPT # DEATH BY PING<br \/>\niptables -A FORWARD -p tcp -i em1 \u2013dport 31337 \u2013sport 31337 -j DROP # BLOCK BACKDOOR<br \/>\niptables -v -A FORWARD -j REJECT; # DEFAULT REJECT<\/p>\n<p>######### IPTABLES SAVE ##################<\/p>\n<p>iptables-save &gt; \/tmp\/iptables;<\/p>\n<p>iptables-restore &lt; \/tmp\/iptables;<\/p>\n<p>\/etc\/init.d\/iptables save<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Depending on your circumstances you may want to run the VPN from your home, or you may want to rent a VPS to run it from. If you\u2019re just trying to get into your home network, an SSH tunnel might be easier; I will write something about SSH tunneling later. For the purposes of this [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/833"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=833"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/833\/revisions"}],"predecessor-version":[{"id":835,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/833\/revisions\/835"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}